How can I force a remote office NOT on my domain to use a specific domain controller (or site) when authenticating to said domain?

A quick rundown of our environment first...

I work at the corporate office of a medium sized international corporation.  We have roughly 50 remote offices that all have permanent VPN tunnels to corporate... a big star if you will.  15 of those offices have a domain controller and their workstations are members of the corporate 2003 domain and so we have 16 sites total.  The others either have workgroups or have their own untrusted domain.  Typically remote offices CANNOT route to one another but can only get to the corporate 'hub'.

The Problem: One of these offices that has their own domain (untrusted) needs to access corporate resources which require authentication to the corporate domain.  They have a secondary DNS zone for the corporate domain so they can ping corporate resources by name.  The problem is that in my experience when you ping a fully qualified domain name you can get a response from any DC in your site.  If you are like this remote office and outside the domain and therefor not in a site... you can get a response from ANY domain controller in the entire forest.  Well they only have network access to those DCs located at the corporate office but often when they try to ping or authenticate to our domain, they are asking domain controllers at other remote offices and therefor get no response.  Is it possible to force a remote office when pinging or authenticating to the corporate domain to ONLY ask domain controllers in the corporate site? Or even just one specific domain controller at corporate?

I imagine if this could be done it would have to be done in DNS but I cannot figure out how it is possible.

Thanks in advance for any help!!

-Mike
LayneITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsweenSr. Network AdministratorCommented:
When they access a system that is not part of their domain the client does not do the authentication; all authentication requests to the domain controller are done by the target system.  Where are the target servers these clients are trying to access located?  If they are at the "hub" of your network you are having a different problem.  If they are located at the site then this could be an issue

http://msdn.microsoft.com/en-us/library/aa378749(VS.85).aspx

You should setup site links in active directory.  This is how AD knows who can talk to who and how fast the link is between sites.  In your scenario DO NOT create a site link bridge as all the subnets cannot talk to each other.  Make sure only sites that can talk to each other are members of each site link.

This is often an issue in star network designs as when you create a site in AD it forces you to add it to a site link.  Since you don't usually have all your site links setup when creating sites everything gets added to the default site link which makes AD think everyone can talk to each other.
0
gheistCommented:
My end-user experience shows that domain of last logged in admin is kept, and my IT experience tells should be in HKLM registry.
Happy googling...
0
mcsweenSr. Network AdministratorCommented:
Oh, BTW you should also create a site, subnet, and site link in AD Sites and Services for every site that has to authenticate to domain resources even if there is no domain controller at the site.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

LayneITAuthor Commented:
Thanks that put me on the right track.  We do have the sites set up correctly but the problem is I think something in the application.  I was assuming the remote application needed to be able to access active directory directly but really it is only trying to access a SQL server in the corporate site and then THAT server does the communicating with active directory.

0
mcsweenSr. Network AdministratorCommented:
That is correct - Glad I could help get you on the right track.
0
LayneITAuthor Commented:
Still unresolved however we've decided to put a domain controller at the location which will solve the issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LayneITAuthor Commented:
no additional comment
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.